#! /bin/sh

### BEGIN INIT INFO
# Provides:		firewall
# Required-Start:	$network $syslog $named
# Required-Stop:	$network $syslog $named
# Default-Start:	2 3 4 5
# Default-Stop:		0 1 6
# Short-Description: Provide firewalling
# Description: Provide firewalling
### END INIT INFO

set -e

DELIMITER="-----------------------------------------------------------------------------------------------------------------"

N="$0"
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"
POL=DROP

IP6_EXT="[mon ip6 externe]"
IP_BOX="[l'IP de ma gateway]"
IP6_BOX="[l'IP6 de ma gateway]"
IP_DNSSRV="[l'IP de mon premier serveur DNS]"
IP_DNSSRV2="[l'IP de mon second serveur DNS]"
IP_NTP="129.69.1.153"		#rustime01.rus.uni-stuttgart.de
IP_NTP2="143.93.99.252"		#ntps1-0.fh-mainz.de
IP_NTP3="82.96.64.2"		#ntp.probe-networks.de
FQDN_NTP="canon.inria.fr"
FQDN_NTP2="ntp2.fau.de"
FQDN_NTP3="ptbtime1.ptb.de"
#FQDN_ADBLOCKPLUS="server6.adblockplus.org"
IP_ADBLOCK_LISTEFR="159.253.130.94"
IP_INT1="[l'IP de ma première bécane amie sur le LAN]"
IP_INT2="[l'IP de ma seconde bécane amie sur le LAN]"



IF_FE="eth0"
IP_NULL="127.0.0.1"
IP_FE="192.168.1.242"
LOCALNET_FE="[le range de mon LAN/24]"
NET_FE_IN="ALL_${IP_FE}:22,80,443,465/tcp \
		ALL_ALL:25/tcp \
		ALL_${IP_NULL}:4300:65535/tcp \
		${LOCALNET_FE}_${IP_FE}:2049,4242/tcp \
		${LOCALNET_FE}_${IP_FE}:111/tcp \
		${LOCALNET_FE}_${IP_FE}:111,2049/udp \
		${LOCALNET_FE}_${IP_FE}:993,143,465/tcp \
		ALL_${IP_FE}:993,143,465/tcp \
		ALL_${IP_FE}:4662,4665/tcp \
		ALL_${IP_FE}:4672/udp \
		${LOCALNET_FE}_${IP_FE}:137:139/udp \
		${LOCALNET_FE}_${LOCALNET_FE}:137:139/udp \
		${LOCALNET_FE}_${IP_FE}:12865/tcp \
		${LOCALNET_FE}_${IP_FE}:8250/tcp \
		${LOCALNET_FE}_${IP_FE}:9102/tcp \
		ALL_${IP_FE}:51413/udp \
		ALL_${IP_FE}:51413/tcp \
		${LOCALNET_FE}_${IP_FE}:445/tcp"
NET_FE_OUT="${IP_FE}_${IP_DNSSRV}:53/udp \
	${IP_FE}_${IP_DNSSRV2}:53/udp \
	${IP_FE}_ALL:53/udp \
	${IP_FE}_ALL:6881:6889,51413/udp \
	${IP_FE}_ALL:4300:65535/tcp \
	${IP_FE}:51413_ALL/udp \
	${IP_FE}_${FQDN_NTP}:123/udp \
	${IP_FE}_${FQDN_NTP2}:123/udp \
	${IP_FE}_${FQDN_NTP3}:123/udp \
	${IP_FE}_${IP_NTP}:123/udp \
	${IP_FE}_${IP_NTP2}:123/udp \
	${IP_FE}_${IP_NTP3}:123/udp \
	${IP_FE}_${IP_BOX}:80/tcp \
	${IP_FE}_${FQDN_DYNDNS_CHECKIP}:80/tcp \
	${IP_FE}_${FQDN_ADBLOCKPLUS}:80/tcp \
	${IP_FE}_${IP_ADBLOCK_LISTEFR}:80/tcp \
	${IP_FE}_linuxcounter.net/icmp \
	${IP_FE}_bugs.debian.org:80/tcp \
	${IP_FE}_ftp.fr.debian.org:80/tcp \
	${IP_FE}_ALL:80,443,6667,6668/tcp \
	${IP_FE}_${IP_INT2}:22/tcp \
	${IP_FE}_${IP_INT1}:22,8888/tcp"

ICMP="on"

#if [[ "ACCEPT" == "$1" ]]; then
#	POL="$1"
#fi

# rules () function has following parameters:
# $1 in/out: rule is for table INPUT ("in") or OUTPUT ("out")
# $2 source and destination in following form, separated with whitespaces: SRC:PORT/PROTO_DST:PORT/PROTO
#	SRC and DST:	"ALL" or
#			an IPv4 address or
#			an IP-range separated with a '-'
#			a FQDN
#	PORT:		a port or
#			a port-range separated with a ':'
#	PROTO:		see the iptables manpage, option -p.
#
# PORT and PROTO can be omitted
#
# Example:	ALL_192.168.0.1-192.168.254:80/tcp
#
# $3 interface (optional): interface name or "ANY"
# $4 state (optional)

rules () {
	# Direction: INPUT or OUTPUT
	if [ "x$1" = "xin" ]; then
		direction="INPUT"
	elif [ "x$1" = "xout" ]; then
		direction="OUTPUT"
	else
		exit 1
	fi

	# Interface
	iface=""
	if ! [ "x$3" = "x" ] && ! [ "x$3" = "xANY" ]; then
		if [ "x$direction" = "xINPUT" ]; then
			iface="-i $3"
		elif [ "x$direction" = "xOUTPUT" ]; then
			iface="-o $3"
		fi
	fi

	# State
	state=""
	if ! [ "x" = "x$(echo $4 | grep -e NEW -e RELATED -e ESTABLISHED)" ]; then
		state="-m state --state $4"
	fi

	if ! [ "x$2" = "x" ]; then
		for j in $2; do
			opts=""

			echo -n '.'

			# source
			src="${j%_*}"
			ipport=${src%/*}

			if [ "x$src" = "x${src#*/}" ]; then
				srcproto=""
			else
				srcproto=${src#*/}
			fi

			if [ "x$ipport" = "x${ipport#*:}" ]; then
				srcport=""
			else
				srcport=${ipport#*:}
			fi

			if [ "x${ipport%%:*}" = "xALL" ]; then
				srcip=""
			else
				srcip=${ipport%%:*}
			fi



			# destination
			dst="${j#*_}"
			ipport=${dst%/*}

			if [ "x$dst" = "x${dst#*/}" ]; then
				dstproto=""
			else
				dstproto=${dst#*/}
			fi

			if [ "x$ipport" = "x${ipport#*:}" ]; then
				dstport=""
			else
				dstport=${ipport#*:}
			fi

			if [ "x${ipport%%:*}" = "xALL" ]; then
				dstip=""
			else
				dstip=${ipport%%:*}
			fi
			


			# proto
			if ! [ "x$srcproto" = "x$dstproto" ] && ! [ "x" = "x$srcproto" ] && ! [ "x" = "x$dstproto" ]; then
				echo "ERROR: srcproto $srcproto and dstproto $dstproto must be the same ! Exiting."
				exit 1
			fi

			if ! [ "x$srcproto" = "x" ]; then
				opts="-p $srcproto"
			elif ! [ "x$dstproto" = "x" ]; then
				opts="-p $dstproto"
			fi

			# single IP or IP-range
			if ! [ "x$srcip" = "x" ]; then
				if [ "x" = "x$(echo "$srcip" | grep '-')" ]; then
					if ! [ "x$srcip" = "xALL" ]; then
						opts="$opts -s $srcip"
					fi
				else
					opts="$opts -m iprange --src-range $srcip"
				fi
			fi

			if ! [ "x$dstip" = "x" ]; then
				if [ "x" = "x$(echo "$dstip" | grep '-')" ]; then
					if ! [ "x$dstip" = "xALL" ]; then
						opts="$opts -d $dstip"
					fi
				else
					opts="$opts -m iprange --dst-range $dstip"
				fi
			fi

			# Port-range or single port
			if ! [ "x$srcport" = "x" ]; then
				if ! [ "x" = "x$(echo "$srcport" | grep ',')" ]; then
					opts="$opts -m multiport --sports $srcport"
				else
					opts="$opts --sport $srcport"
				fi
			fi

			if ! [ "x$dstport" = "x" ]; then
				if ! [ "x" = "x$(echo "$dstport" | grep ',')" ]; then
					opts="$opts -m multiport --dports $dstport"
				else
					opts="$opts --dport $dstport"
				fi
			fi

			$IPT -A $direction $iface $opts $state -j ACCEPT
		done
	fi
}

stop () {
	# disable forwarding
	echo 0 > /proc/sys/net/ipv4/ip_forward

	# clear rules
	$IPT -F
	$IPT -X
	$IPT -t nat -F
	$IPT -t nat -X

	# default policies
	$IPT -P INPUT ACCEPT
	$IPT -P FORWARD ACCEPT
	$IPT -P OUTPUT ACCEPT
	$IPT -t nat -P PREROUTING ACCEPT
	$IPT -t nat -P POSTROUTING ACCEPT
	$IPT -t nat -P OUTPUT ACCEPT


	# clear rules, IPv6
	$IPT6 -F
	$IPT6 -X

	# default policies, IPv6
	$IPT6 -P INPUT DROP
	$IPT6 -P FORWARD DROP
	$IPT6 -P OUTPUT DROP

}

start () {
	echo -n "activating firewall... "

	stop

	# just in case... enable loopback iface
	$IPT -A INPUT	-i lo -j ACCEPT
	$IPT -A OUTPUT	-o lo -j ACCEPT

	################################################################
	#			INPUT
	if [ "$ICMP" = "on" ]; then
		$IPT -A INPUT -p icmp -j ACCEPT
	else
		$IPT -A INPUT -p icmp -j DROP
	fi

	rules in ALL_ALL ANY RELATED,ESTABLISHED
	rules in "$NET_FE_IN" "$IF_FE"

	############
	# Logging - PLEASE NO MORE RULES AFTER THIS LINE !
	#$IPT -A INPUT -p udp --dport 137 -j DROP
	#$IPT -A INPUT -p udp --dport 138 -j DROP
	$IPT -A INPUT -p udp --dport 67 -j DROP			# DHCP
	$IPT -A INPUT -p udp --dport 68 -j DROP			# DHCP
	$IPT -A INPUT -p udp --dport 17500 -j DROP

	$IPT -A INPUT -d 239.255.255.250 -j DROP		# uPNP
	$IPT -A INPUT -s 224.0.0.0/24 -j DROP			# IGMP
	$IPT -A INPUT -d 224.0.0.0/24 -j DROP			# IGMP

#	$IPT -A INPUT -m limit --limit 5/m --limit-burst 10 -j LOG --log-prefix "INPUT " --log-uid

	################################################################
	#			IPv6 INPUT
	$IPT6 -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
	$IPT6 -A INPUT -p tcp -d ${IP6_EXT} -m multiport --dports 22,80,443 -j ACCEPT
	$IPT6 -A INPUT -p icmpv6 -d ${IP6_EXT} -j ACCEPT


	################################################################
        #                       FORWARD
        #echo 1 > /proc/sys/net/ipv4/ip_forward
        #$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


	################################################################
	#			OUTPUT
	if [ "$ICMP" = "on" ]; then
#		$IPT -A OUTPUT -p icmp ! -o $IF_FE -j ACCEPT
		$IPT -A OUTPUT -p icmp -o $IF_FE -j ACCEPT
	else
                $IPT -A OUTPUT -p icmp -j DROP
	fi

	rules out ALL_ALL ANY RELATED,ESTABLISHED
	rules out "$NET_FE_OUT" "$IF_FE"

	############
	# Logging - PLEASE NO MORE RULES AFTER THIS LINE !
	#$IPT -A OUTPUT -p udp --dport 137 -j DROP
	#$IPT -A OUTPUT -p udp --dport 138 -j DROP

	#$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT " --log-uid
#	$IPT -A OUTPUT -m limit --limit 5/m --limit-burst 10 -j LOG --log-prefix "OUTPUT " --log-uid

	################################################################
	#			IPv6 OUTPUT
	$IPT6 -A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
	$IPT6 -A OUTPUT -p tcp -s ${IP6_EXT} -m multiport --sports 80,443 -j ACCEPT
	$IPT6 -A OUTPUT -p tcp -d 2a01:e0c:1:1598::2 --dport 80 -j ACCEPT	# ftp.fr.debian.org
	$IPT6 -A OUTPUT -p icmpv6 -s ${IP6_EXT} -j ACCEPT

	# default policies
	# (this is not at the beginning of the "start" function because if it were, DNS queries wouldn't work)
	$IPT -P INPUT $POL
	$IPT -P FORWARD $POL
	$IPT -P OUTPUT $POL

	echo "firewall activated !"
}

restart () {
	stop
	start
}

status () {
	echo $DELIMITER
	echo "------------------------------------------------------ IPv6 -----------------------------------------------------"
	$IPT6 -nvL
	echo $DELIMITER
	echo "------------------------------------------------------ IPv4 -----------------------------------------------------"
	$IPT -nvL
	echo $DELIMITER
	$IPT -t nat -nvL
	echo $DELIMITER
}

case "$1" in
  start)
	start
	;;
  restart)
	restart
	;;
  status)
	status
	;;
  stop)
	stop
	;;
  *)
	echo "Usage: $N {start|stop|restart|status}" >&2
	exit 1
	;;
esac

exit 0